Does having access to an application that implements encryption and decryption make it easier to crack?

Question

Say I have an application that is to read and write files which are protected with a hash (to detect tampering and corruption) and optionally encryption with a user's key. The application will necessarily include compiled code to hash, encrypt and decrypt the data.

Assuming we are using rigorous algorithms like salted and stretched AES-256 and SHA-256, is the fact that the user has the application in compiled form (and with some effort could presumably work out the algorithms being used) make it any easier for them to crack the encryption, or generate a fake hash?

If this is in fact a serious vulnerability, what measures would anyone suggest to mitigate the vulnerablity?

Answer 1

The only case when having an application source would be a vulnerability is when the application itself has a serious flaw, for example

• Is employing a security through obscurity technique,
• Embeds a secret in the body of the program,
• Makes a mistake in implementing a well-known algorithm that opens up the implementation to an attack.

Essentially, your product becomes more vulnerable when an attacker has its source, because the attacker can more easily spot your coding mistakes. However, it's coding mistakes that make your application crackable, not the fact that an attacker has your source code.